DNSSEC's early adopters provide test beds for others

In anticipation of widespread adoption, .edu and .org offer valuable lessons

Two early adopters of the DNS Security Extensions were the .edu and .org generic top-level domains, which have been using DNSSEC on a limited basis to provide real-world experience with the protocol.

Some of the test beds have been operating for years.

“We deployed DNSSSEC first back in 2006” for a research network, said Shumon Huque of the University of Pennsylvania. It was deployed throughout the university in summer 2009, using homegrown tools for signing and key management.

Related stories:

Can .gov trust .com?
How DNSSEC provides a baseline of Internet security

Louisiana State University signed its first testing zone in 2008 and has been experimenting with various tools and signing algorithms, said LSU’s Anthony Iliopoulos. The .edu test beds were integrated in fall and winter 2009, and the domain expects to begin offering verifiable signed DNS records this summer, after the release of the trust anchor – a cryptographic certificate that validates a chain of trust – by the Internet root zone, whose 13 root servers were signed this winter and spring.

The .edu top-level domain was a good candidate for testing because it is a relatively small domain with one registrar, Educause, with many users in the research and education community. Challenges included the need to strengthen technical understanding of the protocol and document best practices for key management and rollover, said Rodney Petersen, director of Educause’s cybersecurity initiative.

“Implementing DNSSEC adds complexity to management of the Domain Name System,” said Joe Waldron, director of product management at VeriSign, .edu’s registry operator.

Dealing with that complexity requires tools to automate the processes. “There are companies that have been developing the capability for DNSSEC for years,” Waldron said. Standards have been defined, and hardware, software and service offerings are available. “There is still a challenge in education and experience” for users, he said. “But the tools are fairly mature.”

The .org zone was signed with DNSSEC in June 2009, and its operators have provided their insights to government planners, including advice on protocols for minimizing computational overhead; processes for rolling over, distributing and securing cryptographic signing keys; and warning about a possible increase in bandwidth demand when DNSSEC is in use.

The .org domain is the third largest of the generic top-level domains, behind .com and .net, with more than 7.5 million registered domains. The Public Interest Registry implemented DNSSEC in a test environment for 18 live domains.

One concern is the use of NextSECure (NSEC) parameters with DNSSEC, which provide proof that a requested record does not exist. There are two schemes for accomplishing that. The parameters prove nonexistence by responding with listings of the surrounding records. But that technique can let users discover the entire contents of a zone by using NSEC. NSEC3 avoids that by using hashes to affirm that a record does not exist. But that requires a lot of computational overhead, which is feasible for a relatively small domain such as .org. But root zones, in which more than 90 percent of queries are for nonexistent records, could be swamped by the computations.

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Thu, Jun 10, 2010 nbk

Any idea how large dotEDU and dotGOV are wrt. number of registered second level domains - if they are smaller than .org, what could be a reason for delay? Has the plan introducing DNSSEC lead to an insecurity that this would break something unexpectedly?

Mon, Jun 7, 2010 Jeffrey A. Williams Frisco Texas

.EDU is not yet singed as they have delayed doing so for some technical reasons. Secondly, our testbed which has been in operation sense 2004 shows some sersious problems with signature keys and key types and lengths/strengths with other test beds.Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 300+k members/stakeholders and growing, strong!)
"Obedience of the law is the greatest freedom" -
Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com
Phone: 214-244-4827

Thu, Jun 3, 2010

I'm not entirely certain why .edu is listed here. As far as I can tell, .edu is not signed, but .org is and has been for many moons.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group